General Data Protection Regulation (GDPR) changes how businesses can gather, collect, and use information about their employees as well as customers. It affects every country in the European Union (EU), including Britain, and aims to unify data regulations throughout the bloc. In addition, if you're a company based outside this region but store data on citizens who are an EU country, the GDPR will also include you.
For businesses based or operating within the UK it's important to note that, even though the country is due to withdraw from the EU, it is still subject to laws outlined by the GDPR at least until March 2019. This means all organizations within Europe need to be aware of what their obligations are under GDPR and what they need to do.
Is my company affected?
Yes. Every organization is held accountable to GDPR no matter how big or small they may be. It's not judged on the size of your company because it doesn't just concern the information you may get about potential consumers via your website.
Companies that store any data must adhere to the regulations, which affects anyone who employs another person. All organizations need basic information about their employees, such as their bank details or address, to ensure employment law is adhered to.
Technology has moved a lot faster than expected and very few regulations reflect the numerous ways that data can be gathered, stored and used. In addition, companies need to make sure they are protected against the growing threat of cybercrime. GDPR wants to ensure the law is appropriate for modern online lives and that individuals have control over their personal information.
What does it change?
The aim of the new legislation is to tighten up loopholes that companies may have exploited in the past, and increase the fines for not taking the right precautions.
Broadly speaking, GDPR gives more rights to the individual, which can be broken down into a few key areas:
- Informed - companies need to tell individuals how/where their information is processed or stored
- Access - you must provide a way for individuals to see the data you have on them and allow them to access it for their own personal use
- Rectification - companies must allow people to update inaccurate information
- Erasure – people must be allowed to ask you to delete or remove their personal data
- Restriction - individuals can allow you to store their data without consenting for you to share it, which also concerns situations where information is handled by machines rather than people
- Objection – companies must allow individuals to opt out of data-driven marketing or you using their information for research
When will it come into effect?
The law will be introduced on May 25 2018 but there are things your company needs to be doing right now to ensure you meet the standards outlined by the legislation. As HR, you're ideally placed to take a leading role on how your organization is going to prepare itself for the GDPR deadline.
Here are five key questions to ask yourself before the 2018 deadline:
- Do individuals know how to ask you to remove their information?
- What is the process for handling these requests?
- How long does it take to respond to remove personal information?
- Do you need to have anyone else's consent for the data you hold (children or vulnerable adults)?
- What is your crisis plan for when there's a data breach?
Asking yourself these questions can help you identify areas where your data policy may be vulnerable when GDPR comes into effect. It's also important to see whether the rest of the company feel suitably prepared for the changes and basic training in data protection and security may be a worthwhile pursuit to completely protect yourself and your consumers.
What are the penalties?
One of the most significant changes brought about by GDPR is the amount you could be fined if you don't comply with the regulation. Data is serious business, whether it belongs to your employees or consumers, and the penalties reflect this.
From May 2018, organizations could be fined up to 20 million euros or 4% of a company’s global turnover if they don't comply, whichever is higher.